Hosting Mautic QuickStart -50% with support in Spanish
24 hours and free training
Send up to 1,000,000 emails/year. Mautic support in Spanish 24 hours, 365 days
The X-Frame-Options header is used to prevent the page from being opened in a frame, or iframe. In this way you can prevent attacks on your website.
For example, if the web https:// contains the header X-FRAME-OPTIONS with the Allow-From value https://www.facebook.comthen the web https://, can only be “framed” from the domain www.facebook.com.
Another option would be to always deny on framing (DENY), or tell it that it can only be framed from the same origin (SAME-ORIGIN).
These are the values it accepts:
-
DENY
-
SAME ORIGIN
-
ALLOW-FROM uri
The page will not be able to be displayed in a frame/iframe.
It can only be displayed in a frame/iframe from your own domain.
It can only be displayed in a frame/iframe from the indicated url’s.
The best way to add this header would be to add a few lines of code to the file functions.php of the WordPress theme that we are using.
This file is located in the path wp-content/themes/THEME_NAMEwhere THEME_NAME is the name of the theme that we have activated.
First, we will make a backup copy of the functions.php file. Then we edit it and add the following code at the end of it:
add_action( ‘send_headers’, ‘add_header_xframeoptions’ ); function add_header_xframeoptions() { header( ‘X-Frame-Options: SAMEORIGIN’ ); }
There are other ways to add this header. If we have Apache as a web server, we can use the .htaccess file, adding the code indicated below:
Header always append X-Frame-Options SAMEORIGIN
In case of using Nginx, the following code should be entered in the Nginx configuration file:
add_header X-Frame-Options SAMEORIGIN;
You can find more technical information at .
If we want to add other security headers from changes in the functions.php file, we can do it using a single function, instead of adding each header in a different function, although the behavior is similar.
In the following example code, which should be placed at the end of the functions.php file, the headers are added X-Content-Type-Options, X-Frame-Options Y X-XSS-Protection:
add_action( ‘send_headers’, ‘add_header_security’ ); function add_header_security() { header( ‘X-Content-Type-Options: nosniff’ ); header( ‘X-Frame-Options: SAMEORIGIN’ ); header( ‘X-XSS-Protection: 1;mode=block’ ); }
Help us improve our content by sharing your opinion
Member of the Systems Administration team at and leader of the CiberProtector and CiberBox development team.